Mogahed AbdullahALquhali, AnwarAl-shamairiSana’aUniversity, Faculty of Computer & Information Technology E-mail:1M1.
[email protected] , [email protected] Abstract:SDNnetworks architecture has core concept based on separating control plan fromdata plan driving to easier controlling an managing large datacenters or cloudnetworks it also help on improving flexibility, and lowering cost.
In otherhand SDN have many challenges one of most impact challenge is the securitythreats such as DDoS witch can cause full or partition network deadlock enforcingitself on the top of most dangerous attacks can face SDN networks due to thatthis study define the DDoS attack mechanism and compare between some commonsolutions proposed to detect or prevent this attack.Keywords: SDN,Cloud,Security threats, deadlock,DDoS, attack mechanism.Introduction:SDN networks come as a survive technology to reducemanagerial challenges witch increase in parallel with any increasing ofnetworks size ,it divide the whole networks into three tiers infrastructurelayer witch consist of the whole networking infrastructure ,control layer witchconsist of control switches and contain the network operating system NOS ,thislayer also responsible of interfacing the two other layers,the last tier is theapplication layer consists of servers ,routers and other components thatperforming network services and applications , this architecture separate thecontrol operations and data plane operation by control switches to improvemanageability ,reduce power usage,increase performance and prevent manysecurity threats .however it come with other challenges it may have largerimpact on SDN comparing with its impact on the traditional network such asdeniel of service attacks witch can hung up SDN network component resultingfully deadlock of the network ,the infected component can be the control switchor the links between component or even client on the network,these variouscomponent can be infected by various methods depending on the vulnerabilityfounded on the device or technology.
the impact of the attack relay on thenumber of attacking sources ,to make DoS more powerful the attackers exploit the clients to perform the attackwith catastrophic impact by spreading botnets code within the network elementsconverting them into slave devices called zombies perform attacker commands,the attacker can make flood DoS attak,ping of death attack,TCP ack attak ,syncattacks or smurf attack to achieve the promary goal of attack represent ofstopping victim response.the goal can be achieved in differ methods dependingon the victim type for example it can overflow the memory of the switch withredundant data about fake entries causing table fulfilled with heap data,otherform of attack based in limited capacity of link between controller andswitches and transmit large bandwidth data congested the channel and stop otherlegal transmissions.many DDoS attacks successfully done on the last three yearsthe most common attack performed on September 2016 by IoT networks exploitvulnerability of IoT devices from HKvision company and Mirai botnet to be ran in network clients makehuge transmissions upto 600 Gbps on theglobal network resulting stop the response on many hosting services andstopping many website world wide. Figure 1 SDN aproach DDos Attack scenariosIn sdn :TraditionalDDoS attacks such as UDP, ICMP, flood DoS attak, TCP ack ,sync , smurf,NTP amplification, and ping ofdeath are also viable in SDN. Since SDN infrastructure based on a centralizedmanagement for network flows, SDN is very attractive for DDoS attackers. When anyunknown source IP packet message arrive to the network SDN policy command theswitch to transfer it directly to the controller ,controller then forward a flowrule to the switch for the source IP.
attackers here will send a huge number ofpackets from large number IPs, all ofthem will be forwarded into the controller. Then a huge number of attackpackets will drop the network response for legal users. A sample topology forSDN is illustrated in Fig. 1. Some DDoS attack forms in SDN can be scripted asfollows. In the First form The attack target will be the SDN controllerAttacker(s) may dumbed data traffic with fake IPs , attacker(s) on the segmentof any switch this switch will resend the whole packets to the controller becausethey coming from unknown IP addresses.
the link between the attacked switch and controller is potentially congestedinthe second form of attack is blind DDoS attack the target will be the systemresource because the attack come from different switches under the samecontroller.the fake traffic is coming from various switches, the attack load isdivided, and it is intrinsically fuzzey to be detectable. 2.
Third one ismemory overflow attack infecting the limited Switch memory, switch memory whileit needs to store a new entry for each unmatched traffic. the switch willsuffer from inflated table size in general. When an attacker generates newflows, the table will be fully dumbed with fake IPs entries making no abilityto add new legal entry in other mean stopping the legal transmissions. Besides,the target switch can also be unavailable in a more sophisticated methods. Itcan be blocked by blocking the links to this switch. Not all traffic flow have largebit rate; thus, it is difficult to detect.
However, as a result it makes thetarget unreachable . Coremelt attack in this attack target will be the linkbetween switches can also be the target. This attack can be facilitated bycommunication between attackers under various switches. 4. Finally clientsattack in this attack the victim is a client om the network for instance theattack target can be cloud server.
Theattacker can be run from the same switch either another switch. This server capabilities will be out of service ifthe controller didn’t detect the attack.simply Compared to conventionalnetworks, SDNs architecture represent best environment for DDoS attacks due tothree inherent dynamics of attacks, Propagation ,Aggregation of and WidespreadImpact of Attacks,A DDoS attack can rapidly affect the whole network withaggregated source of attack making more difficult to detect the orginal sourceof attack .two category of solution can be defense from DDoS attacks first onededicated for the old style unmanaged switches whereas the other categoryprovide solutions can be implemented only on the newer smart manageableswitches the next section discussed fivedefense approaches.solutions Against DDosAttacks In the SDN environment :Inorder to cope with various DDoS scenarios in SDN environments, severalsolutions are proposed in the literature. In fact, it is a novel research topicin which almost all mechanisms have been formulated in the last few years. Inthis section, these solutions are analyzed to examine their properties.
Sinceall models have their own pros and cons, it is not possible to state that oneof these mechanisms is a superior solution. For this reason, securitypractitioners need to choose the appropriate one(s) according to theirrequirements. In order to provide a clear way to analyze and decide,classifications of these methods in terms of several aspects are also providedin this section. For that purpose, we elaborate on two dichotomies: onefocusing on which elements they rely on (network elements vs.
flows) andanother focusing on their defense functionalities. Solutions in the literaturecan be classified according to whether they are intrinsic or extrinsic. Aproperty that is inherited and essential is named intrinsic, whereas a propertythat varies depending on exterior factors is called extrinsic. In our case, somesolutions are related to structural attributes of the SDN environment, whereasothers are mostly related to the properties of network flows. For this reason,we propose to classify identified mechanisms as intrinsic vs. extrinsicsolutions.
This classification is illustrated in Fig. 2. Figure 2 Classification of solution against DDOS attacks in SDN Unmanagedswitches solutions:Thesesolutions proposed to be done with older switches to avoid eth need to replacethese switch with newer one rising the solution cost into unreasonableexpensive process.the most SDN networks work on this type of switches and thecompatibility feature is the core advantage of SDN architecture , thus thissolution have high importance than the second type.the solutions can be can beclassified as intrinsic table-entry-based, scheduling-based, and architectural.Table-entry-based solutions in this propose are to reduce sizeof table in swithches every flow needs to enter to switch memory which cause bottleneck when DDos attack accourthats contains diffrent ip address inside packets.
For example, 5, 6 have suggestionto solve this problem . In 5, theimpact of a DDoS attack in SDN is presented. the DDos attack in sdn impact thatshould mange the data flow into table is important ,also modified polices withnew multiple processing such as packetsnumber ,properties of flow entry and putting the date rather than one parametersuch as earliest module that present expiration time , beside that we shouldhave temporary storing the flow entries and managing them inside controller. Thesesolution classified as mitigate methodology Similarly, Katta et al. 6 proposememory-focus solution based on avoid overflow the switch memory because thatthe switch specification limitations such as small memory capacity enable theswitch store limited amount of entries on its memory.
From this point a strictcontrol policy must be applied to ensure entry tables on switch with validinformation and to drop any packets sending or receiving operations.thissolution didn’t actually mitigate DDoS attacks impact.other Scheduling-basedsolutions presented to be applied on the controller.it assumed that itis the most important defense should be applied on the core of the SDN system witchis the controller. It based on scheduling algorithms ran on the controllers toenforce the entire network component have a chance to send and receive and noany device can take all bandwidth during long time on these solutions the main principletarget to prevent unmanaged link reservation for single point ,the attackerwill continue its traffic flow and will not be detectable to be blocked ..
Theapproach in 7 provides flexibility with accepted level of availability. Hsuet al. proposed a hash-based algorithms to be performed on the controller to improvenetwork availability and flexibility. Their solution use round-robin schedulinggiving minute (tiny) slice of time for each packet to be transmitted in case ofneed more time for packet it will need to wait for its next quota . In 8, Lim et al.
proposed also to give thecontroller defense higher importance to prevent the case of hung up the whole networkby block controller response for the valid traffics even that the network hasmore the one controller the attacker only will need to infect all controllerson by one until stopping all SDN controllers. In order to prevent probability ofinfecting on switch resulting isolating all network traffics under this switchon the previous proposed solutions, they proposed to establish multiple queueson the switch .oppositely of the solution presented in 7solution proposed on8attempt to ensure controller response and never be hanged up. In same mannerthis solution didn’t give any signs about attacker with absence of detecting mechanism.thus,it does not differentiate legal and illegal packets because it does not providepacket-based details. Architectural solutions based onnetwork components location and responsibilities providing ability to preventDDoS attacks.
References 9, 10 suggest to enabling the controller to perfume controllingfunctions and monitoring functions simultaneously. They also suggest a masterthat manages these controller functionalities. The proposed model in 9 proposedthat the controller must be able to monitor an element beside of controlling anotherone. DDoS attacks can be resolved by access to number of packets only so itclassified as low resolution attacks, whereas as to detect ARP caching andpoisoning it required to accessing all attack packets . In their architecture,the monitor/controller units cooperate no detect and mitigate attacks commandedby orchestrator instructions.
When an attack has been detected the controllerwill reduce bandwidth limit instead of blocking the whole bandwidth.solutionpresented on presented in 10. Similar to 9, they split application /packetmonitoring in the controller. In addition, to take improve security and take advantagesof load-balance they proposed to distribute controllers .
avoiding single pointof failure threat.They also suggest another level-based methodology in which the controller isseparated into two layers consisting of a delegator and lower-level helper controllers.However, it doesn’t provide detection mechanism, Some solutions act to discoverthe illegal traffics to be blocked or restricted. it can be classified in twogroups: statistical solutions category and machine-learning-based solutionscategory.Solutionproposed In 14, Scotch presentedproposed model to mitigation attacks ,thatscaling- up control plane by virtual-Switch-based overlay.in their experimentalthey found that the bottleneck can be caused by switch to controller communicationin the DDoS attacks. Thus, in their solution when a real switch is overloaded, anynewer traffic will be tunneled to number of vSwitches without ability to detectthe source of attack. It acts identically DDoS attacks.
Besides, it dropspackets when they reach to the predefined threshold value all packets will droppedeven The legal packets.in 15 Kokila etal. propose machine-learning-based solution use machine learning algorithm todetect attacks using a support vector machine (SVM) classifier. Foucing oncontroller-based attacks, this solution limited to detect attack without anyact to mitigate,thus it can be presented as a apart of intelligent solution. Managedswitch solutions:Thesesolutions dedicated only to be work on the newer technology smart switches whichsupport manageability features the References 11–14 employ statisticalmodels, which present roadmap profiles acquiring statistical information duringa normal period.
Subsequently, these profiles can be used later to compare withthe incoming packets and eliminate the profile-deferent packets (attackPackets) .FlowFence mechanism proposed in 11, propose that the switchesmonitor traffic and detect congestion based on bandwidth details and whencongestion occurs, the switch send alarm to the controller witch will collect analysis data network switches act with the congested link.Detecting illegal traffic ,then controller commanding switches to limiting bandwidth.
Avoiding starvation case,this solution as many othersolutions discussed before didn’t block the attack it just mitigate it’s impact.Avant Guard in 12 is a complex model proposed to ensure security and improve resiliencyagainst DDoS attacks.this solution based on using to modules on switches:connection migration (CM) to mitigate DoS requests and actuating triggers (ATs).If SYN or TCP request proved as legal requests, they will be authorized and forwardedto their destination.it provides protection against SYN Flood attacks. Thereare several proposed solutions utilize entropy for conventional networks, but forSDN architectures there are few. One of them is the presented model in 13, proposedan entropy-based simple DDoS flooding attack detection mechanism can beincluded in the OpenFlow application on the edge switch. In this model, entropydetermined for target IP address .
Ifentropy is lower than the predefined thresholdvalue, DDoS attack is detected enables to determining the target of attack, butit can’t differ the legal packets from the attack packets. This model performdistributed detection alerts in the network and reduces traffic monitoringoverload on the controller requiring extra cost for additional switches. Discussion (defensefunctionalities And switch Intelligence):Proposedsolutions have been summarized on table no.
1 .on these table we classified theminto subgroups based on the supported switches,some solutions can work with thecommon type of switches where others only can act on the smart switches,theother evaluating factor represented by the style of solution functions some ofthem can only detect DDoS attacks,others can mitigate attack effect ,finallyfew solutions have dual functionality enabling to detecting attacks andreducing it’s impact by various polices to provide better security solution comparedwith others .we propose to design hybrid solution exploit techniques to detect,mitigate and prevent attaks ,furthermore exploit methodologies can work ontraditional switches and it can work on the intelligent managed switches toprovide full DDoS security defense. Table 1 Solution property Managed Unmanaged Detection 13 15 Mitigation — 5-8,10.14 Detection and mitigation 11,12 9 References .Al-musawi, F.
, Al-badi, A. H., & Ali, S. (2015).2015 International Conference on Intelligent Networking and CollaborativeSystems A Road Map to Risk Management Framework for Successful Implementationof Cloud Computing in Oman, 417–422. https://doi.
80El-kafrawy, P. M., Abdo, A. A.
, & Shawish, A.F. (2015).
Security Issues Over Some Cloud Models. Procedia – ProcediaComputer Science, 65(Iccmit), 853–858.https://doi.org/10.1016/j.procs.2015.
09.041Kdq, D., Df, D.
Q. J., Zdqjoh, N. U., Dqj, K.
D.Q., Nu, D. F., Kdq, F., … Qrw, R.
U. (2016). 4lqj /l /h?:dqj 7dh*xhq .lp (xo*x ,p, 6, 5–8.Trapero, R., Modic, J.
, Stopar, M., Taha, A.,& Suri, N. (2017). A novel approach to manage cloud security SLA incidents.Future Generation Computer Systems, 72, 193–205.https://doi.org/10.1016/j.future.2016.06.004